# cf. Example ipfw ruleset, http://codesnippets.joyent.com/posts/show/1267 # cf. also http://codesnippets.joyent.com/posts/show/1729 man ipfw 2>/dev/null | less -p "If the ruleset" man ipfw 2>/dev/null | less -p "These dynamic rules" man ipfw 2>/dev/null | less -p "All rules" man ipfw 2>/dev/null | less -p "STATEFUL FIREWALL" # press [n] man ipfw 2>/dev/null | less -p "SYSCTL VARIABLES" man ipfw 2>/dev/null | less -p "EXAMPLES" man ipfw 2>/dev/null | less -p "DYNAMIC RULES" /usr/bin/sudo /sbin/ipfw -d -e -t list /usr/bin/sudo /sbin/ipfw -d -e -t list | /usr/bin/sed -E -n -e '1,/^## Dynamic rules/p' /usr/bin/sudo /sbin/ipfw -d -e -t list | /usr/bin/sed -E -n -e '/^## Dynamic rules/,$p' /usr/bin/sudo /sbin/ipfw -d -e -t list | /usr/bin/awk '/^## Dynamic rules/,/^$/ {print $0}' /usr/bin/sudo /sbin/ipfw -d -e -t list | /usr/bin/awk '/<->/ {print $0}' /usr/bin/sudo /sbin/ipfw -d -e -t list | /usr/bin/awk '{ if ( $0 ~ /<->/ ) {print $0}}' /usr/bin/sudo /sbin/ipfw -d -e -t list | grep RULENUM /usr/bin/sudo /sbin/ipfw -d -e -t list | grep IPADDR /usr/sbin/sysctl -a | egrep 'tcp' /usr/sbin/sysctl -a | egrep 'net.inet' /usr/sbin/sysctl -a | egrep '\.fw' /usr/sbin/sysctl -a | egrep 'ip.fw' /usr/sbin/sysctl -a | egrep 'li[fv]e' /usr/sbin/sysctl -a | egrep 'ip.fw.+life' /usr/sbin/sysctl -n net.inet.tcp.always_keepalive /usr/sbin/sysctl -n net.inet.ip.fw.dyn_keepalive /usr/sbin/sysctl -n net.inet.ip.fw.dyn_buckets /usr/sbin/sysctl -n net.inet.ip.fw.dyn_count /usr/sbin/sysctl -n net.inet.ip.fw.dyn_max # list all dynamic ipfw rules function ipfwtraffic() { declare args argsregex bytes megabytes if [[ $# -eq 0 ]]; then /usr/bin/sudo /sbin/ipfw -d -e -t list | \ /usr/bin/awk '/<->/ {printf "%-10s %-10s %-20s %-10s %-20s %-10s %-10s\n", $3, $6, $7, $8, $10, $11, $1}' | \ /usr/bin/sort -bu | while IFS=" " read bytes proto ipnum1 port1 ipnum2 port2 rulenum; do # byte #bytes=$(printf "%s\n" "${bytes}" | /usr/bin/awk '{ total = total + $1 } END { print total }') #printf "\e[1mbytes\e[m: %-17s %-10s %-40s \e[1mrule\e[m: %-15s \e[1mports\e[m: %-15s\n" \ #"${bytes}" "${proto}" "${ipnum1} :: ${ipnum2}" "${rulenum}" "${port1} ${port2}" # mega byte megabytes=$(printf "%s\n" "${bytes}" | /usr/bin/awk '{ total = (total + $1) / (1024*1024.0) } END { print total }') printf "\e[1mmbytes\e[m: %-20.6f %-10s %-40s \e[1mrule\e[m: %-15s \e[1mports\e[m: %-15s\n" \ "${megabytes}" "${proto}" "${ipnum1} :: ${ipnum2}" "${rulenum}" "${port1} ${port2}" done | /usr/bin/sort -rn -k 2,2 else args="${@}" if [[ "${args}" != "${args//[^. [:digit:]]/}" ]]; then printf "%s\n" 'Found at least one invalid rule number or IP address!' return 1 fi if [[ "${args//[ [:digit:]]/}" == '' ]]; then argsregex="^0*(${args// /|})" # ipfw rule numbers else argsregex="(${args// /|})" # IP addresses fi #echo $argsregex /usr/bin/sudo /sbin/ipfw -d -e -t list | /usr/bin/egrep "${argsregex}" | \ /usr/bin/awk '/<->/ {printf "%-10s %-10s %-20s %-10s %-20s %-10s %-10s\n", $3, $6, $7, $8, $10, $11, $1}' | \ /usr/bin/sort -bu | while IFS=" " read bytes proto ipnum1 port1 ipnum2 port2 rulenum; do # byte #bytes=$(printf "%s\n" "${bytes}" | /usr/bin/awk '{ total = total + $1 } END { print total }') #printf "\e[1mbytes\e[m: %-17s %-10s %-40s \e[1mrule\e[m: %-15s \e[1mports\e[m: %-15s\n" \ #"${bytes}" "${proto}" "${ipnum1} :: ${ipnum2}" "${rulenum}" "${port1} ${port2}" # mega byte megabytes=$(printf "%s\n" "${bytes}" | /usr/bin/awk '{ total = (total + $1) / (1024*1024.0) } END { print total }') printf "\e[1mmbytes\e[m: %-20.6f %-10s %-40s \e[1mrule\e[m: %-15s \e[1mports\e[m: %-15s\n" \ "${megabytes}" "${proto}" "${ipnum1} :: ${ipnum2}" "${rulenum}" "${port1} ${port2}" done | /usr/bin/sort -rn -k 2,2 fi return 0 } # usage: # ipfwtraffic # ipfwtraffic [rulenum1] [rulenum2] [rulenum3] ... # ipfwtraffic [ipaddr1] [ipaddr2] [ipaddr3] ... ipfwtraffic ipfwtraffic 9600 10600 11000 ipfwtraffic xx.xxx.xx.xxx xx.xxx.xx.xx ipfwtraffic | grep 'xx.xxx.xx.xx' #------------------------------------------------------------------------------ # summarize pairs of IP addresses function ipfwdynstats() { declare args argsregex dynrules ipaddr_pairs OIFS=${IFS} IFS=$'\n' if [[ $# -eq 0 ]]; then ipaddr_pairs=($(/usr/bin/sudo /sbin/ipfw -d -e -t list | /usr/bin/awk '/<->/ {print $7, $10}' | /usr/bin/sort -bu)) dynrules=($(/usr/bin/sudo /sbin/ipfw -d -e -t list | /usr/bin/awk '/<->/ {print $7, $8, $10, $11, $6, $2, $3, $1}' | /usr/bin/sort -bu)) else args="${@}" if [[ "${args}" != "${args//[^. [:digit:]]/}" ]]; then printf "%s\n" 'Found at least one invalid rule number or IP address!' return 1 fi if [[ "${args//[ [:digit:]]/}" == '' ]]; then argsregex="^0*(${args// /|})" # ipfw rule numbers else argsregex="(${args// /|})" # IP addresses fi ipaddr_pairs=($(/usr/bin/sudo /sbin/ipfw -d -e -t list | /usr/bin/egrep "${argsregex}" | \ /usr/bin/awk '/<->/ {print $7, $10}' | /usr/bin/sort -bu)) dynrules=($(/usr/bin/sudo /sbin/ipfw -d -e -t list | /usr/bin/egrep "${argsregex}" | \ /usr/bin/awk '/<->/ {print $7, $8, $10, $11, $6, $2, $3, $1}' | /usr/bin/sort -bu)) fi for ((i=0; i < "${#ipaddr_pairs[@]}"; i++)); do # byte #bytesum=$(printf "%s\n" "${dynrules[@]}" | \ #/usr/bin/awk '$1 == "'"${ipaddr_pairs[${i}]% *}"'" && $3 == "'"${ipaddr_pairs[${i}]#* }"'" { print $7 }' | \ #/usr/bin/awk '{ total = total + $1 } END { print total }') # mega byte bytesum=$(printf "%s\n" "${dynrules[@]}" | \ /usr/bin/awk '$1 == "'"${ipaddr_pairs[${i}]% *}"'" && $3 == "'"${ipaddr_pairs[${i}]#* }"'" { print $7 }' | \ /usr/bin/awk 'BEGIN { total=0 }; { total = (total + $1) / (1024*1024.0) } END { print total }') proto=$(printf "%s\n" "${dynrules[@]}" | \ /usr/bin/awk '$1 == "'"${ipaddr_pairs[${i}]% *}"'" && $3 == "'"${ipaddr_pairs[${i}]#* }"'" { print $5 }' | \ /usr/bin/sort -bu) rule=$(printf "%s\n" "${dynrules[@]}" | \ /usr/bin/awk '$1 == "'"${ipaddr_pairs[${i}]% *}"'" && $3 == "'"${ipaddr_pairs[${i}]#* }"'" { print $NF }' | \ /usr/bin/sort -bu) ports=$(printf "%s\n" "${dynrules[@]}" | \ /usr/bin/awk '$1 == "'"${ipaddr_pairs[${i}]% *}"'" && $3 == "'"${ipaddr_pairs[${i}]#* }"'" { print $2,$4 }' | \ /usr/bin/sort -bu) # byte #printf "\e[1mbytes\e[m: %-20s %-10s %-40s \e[1mrules\e[m: %-25s \e[1mports\e[m: %-30s\n" \ #"${bytesum}" "${proto//[[:cntrl:]]/, }" "${ipaddr_pairs[${i}]% *} :: ${ipaddr_pairs[${i}]#* }" \ #"${rule//[[:cntrl:]]/, }" "${ports//[[:cntrl:]]/, }" # mega byte printf "\e[1mmbytes\e[m: %-20.6f %-10s %-40s \e[1mrules\e[m: %-25s \e[1mports\e[m: %-30s\n" \ "${bytesum}" "${proto//[[:cntrl:]]/, }" "${ipaddr_pairs[${i}]% *} :: ${ipaddr_pairs[${i}]#* }" \ "${rule//[[:cntrl:]]/, }" "${ports//[[:cntrl:]]/, }" done | /usr/bin/sort -rn -k 2,2 export IFS=${OIFS} return 0 } # usage: # ipfwdynstats # ipfwdynstats [rulenum1] [rulenum2] [rulenum3] ... # ipfwdynstats [ipaddr1] [ipaddr2] [ipaddr3] ... ipfwdynstats ipfwdynstats 5200 12700 ipfwdynstats xx.xxx.xx.xxx xxx.xxx.xx.xxx #------------------------------------------------------------------------------ # list port-specific internet traffic function porttraffic() { declare args argsregex dynrules ipaddr_pairs OIFS=${IFS} IFS=$'\n' if [[ $# -eq 0 ]]; then printf "%s\n" 'No port number given!' return 1 elif [[ $# -eq 1 ]]; then if [[ "${1//[[:digit:]]/}" != '' ]]; then printf "%s\n" 'Invalid port number!' return 1 fi ipaddr_pairs=($(/usr/bin/sudo /sbin/ipfw -d -e -t list | \ /usr/bin/awk '/<->/ && ( $8 == "'"${1}"'" || $11 == "'"${1}"'" ) {print $7, $10 }' | /usr/bin/sort -bu)) dynrules=($(/usr/bin/sudo /sbin/ipfw -d -e -t list | \ /usr/bin/awk '/<->/ && ( $8 == "'"${1}"'" || $11 == "'"${1}"'" ) {print $7, $8, $10, $11, $6, $2, $3, $1 }' | \ /usr/bin/sort -bu)) else args="${@:2}" # all arguments starting with the second if [[ "${args}" != "${args//[^. [:digit:]]/}" ]]; then printf "%s\n" 'Found at least one invalid rule number or IP address!' return 1 fi if [[ "${args//[ [:digit:]]/}" == '' ]]; then argsregex="^0*(${args// /|})" # ipfw rule numbers else argsregex="(${args// /|})" # IP addresses fi #echo $argsregex ipaddr_pairs=($(/usr/bin/sudo /sbin/ipfw -d -e -t list | /usr/bin/egrep "${argsregex}" | \ /usr/bin/awk '/<->/ && ( $8 == "'"${1}"'" || $11 == "'"${1}"'" ) {print $7, $10 }' | /usr/bin/sort -bu)) dynrules=($(/usr/bin/sudo /sbin/ipfw -d -e -t list | /usr/bin/egrep "${argsregex}" | \ /usr/bin/awk '/<->/ && ( $8 == "'"${1}"'" || $11 == "'"${1}"'" ) {print $7, $8, $10, $11, $6, $2, $3, $1 }' | \ /usr/bin/sort -bu)) fi for ((i=0; i < "${#ipaddr_pairs[@]}"; i++)); do # byte #bytesum=$(printf "%s\n" "${dynrules[@]}" | \ #/usr/bin/awk '$1 == "'"${ipaddr_pairs[${i}]% *}"'" && $3 == "'"${ipaddr_pairs[${i}]#* }"'" { print $7 }' | \ #/usr/bin/awk '{ total = total + $1 } END { print total }') # mega byte bytesum=$(printf "%s\n" "${dynrules[@]}" | \ /usr/bin/awk '$1 == "'"${ipaddr_pairs[${i}]% *}"'" && $3 == "'"${ipaddr_pairs[${i}]#* }"'" { print $7 }' | \ /usr/bin/awk 'BEGIN { total=0 }; { total = (total + $1) / (1024*1024.0) } END { print total }') proto=$(printf "%s\n" "${dynrules[@]}" | \ /usr/bin/awk '$1 == "'"${ipaddr_pairs[${i}]% *}"'" && $3 == "'"${ipaddr_pairs[${i}]#* }"'" { print $5 }' | \ /usr/bin/sort -bu) rule=$(printf "%s\n" "${dynrules[@]}" | \ /usr/bin/awk '$1 == "'"${ipaddr_pairs[${i}]% *}"'" && $3 == "'"${ipaddr_pairs[${i}]#* }"'" { print $NF }' | \ /usr/bin/sort -bu) ports=$(printf "%s\n" "${dynrules[@]}" | \ /usr/bin/awk '$1 == "'"${ipaddr_pairs[${i}]% *}"'" && $3 == "'"${ipaddr_pairs[${i}]#* }"'" { print $2,$4 }' | \ /usr/bin/sort -bu) # byte #printf "\e[1mbytes\e[m: %-20s %-10s %-40s \e[1mrules\e[m: %-25s \e[1mports\e[m: %-30s\n" \ #"${bytesum}" "${proto//[[:cntrl:]]/, }" "${ipaddr_pairs[${i}]% *} :: ${ipaddr_pairs[${i}]#* }" \ #"${rule//[[:cntrl:]]/, }" "${ports//[[:cntrl:]]/, }" # mega byte printf "\e[1mmbytes\e[m: %-20.6f %-10s %-40s \e[1mrules\e[m: %-25s \e[1mports\e[m: %-30s\n" \ "${bytesum}" "${proto//[[:cntrl:]]/, }" "${ipaddr_pairs[${i}]% *} :: ${ipaddr_pairs[${i}]#* }" \ "${rule//[[:cntrl:]]/, }" "${ports//[[:cntrl:]]/, }" done | /usr/bin/sort -rn -k 2,2 export IFS=${OIFS} return 0 } # usage: # porttraffic [portnum] # porttraffic [portnum] [rulenum1] [rulenum2] [rulenum3] ... # porttraffic [portnum] [ipaddr1] [ipaddr2] [ipaddr3] ... porttraffic 80 porttraffic 80 5200 12700 7100 porttraffic 80 xx.xxx.xx.xxx xxx.xxx.xx.xxx #------------------------------------------------------------------------------ # list rule-specific internet traffic function ruletraffic() { declare args argsregex dynrules ipaddr_pairs OIFS=${IFS} IFS=$'\n' if [[ $# -eq 0 ]]; then printf "%s\n" 'No rule number given!' return 1 elif [[ $# -eq 1 ]]; then if [[ "${1//[[:digit:]]/}" != '' ]]; then printf "%s\n" 'Invalid rule number!' return 1 fi ipaddr_pairs=($(/usr/bin/sudo /sbin/ipfw -d -e -t list | /usr/bin/egrep "^0*${1}" | \ /usr/bin/awk '/<->/ {print $7, $10}' | /usr/bin/sort -bu)) dynrules=($(/usr/bin/sudo /sbin/ipfw -d -e -t list | /usr/bin/egrep "^0*${1}" | \ /usr/bin/awk '/<->/ {print $7, $8, $10, $11, $6, $2, $3, $1}' | /usr/bin/sort -bu)) #echo "rulenum: ${1}" #echo "ipaddr_pairs: ${ipaddr_pairs[@]/%/$'\n'}" #echo "dynrules: ${dynrules[@]/%/$'\n'}" else args="${@}" if [[ "${args//[ [:digit:]]/}" != '' ]]; then printf "%s\n" 'Found at least one invalid rule number!' return 1 fi argsregex="^0*(${args// /|})" # ipfw rule numbers ipaddr_pairs=($(/usr/bin/sudo /sbin/ipfw -d -e -t list | /usr/bin/egrep "${argsregex}" | \ /usr/bin/awk '/<->/ {print $7, $10}' | /usr/bin/sort -bu)) dynrules=($(/usr/bin/sudo /sbin/ipfw -d -e -t list | /usr/bin/egrep "${argsregex}" | \ /usr/bin/awk '/<->/ {print $7, $8, $10, $11, $6, $2, $3, $1}' | /usr/bin/sort -bu)) #echo "rulenums: ${@/%/$'\n'}" #echo "argsregex: ${argsregex}" #echo "ipaddr_pairs: ${ipaddr_pairs[@]/%/$'\n'}" #echo "dynrules: ${dynrules[@]/%/$'\n'}" fi for ((i=0; i < "${#ipaddr_pairs[@]}"; i++)); do # byte #bytesum=$(printf "%s\n" "${dynrules[@]}" | \ #/usr/bin/awk '$1 == "'"${ipaddr_pairs[${i}]% *}"'" && $3 == "'"${ipaddr_pairs[${i}]#* }"'" { print $7 }' | \ #/usr/bin/awk '{ total = total + $1 } END { print total }') # mega byte bytesum=$(printf "%s\n" "${dynrules[@]}" | \ /usr/bin/awk '$1 == "'"${ipaddr_pairs[${i}]% *}"'" && $3 == "'"${ipaddr_pairs[${i}]#* }"'" { print $7 }' | \ /usr/bin/awk 'BEGIN { total=0 }; { total = (total + $1) / (1024*1024.0) } END { print total }') proto=$(printf "%s\n" "${dynrules[@]}" | \ /usr/bin/awk '$1 == "'"${ipaddr_pairs[${i}]% *}"'" && $3 == "'"${ipaddr_pairs[${i}]#* }"'" { print $5 }' | \ /usr/bin/sort -bu) rule=$(printf "%s\n" "${dynrules[@]}" | \ /usr/bin/awk '$1 == "'"${ipaddr_pairs[${i}]% *}"'" && $3 == "'"${ipaddr_pairs[${i}]#* }"'" { print $NF }' | \ /usr/bin/sort -bu) ports=$(printf "%s\n" "${dynrules[@]}" | \ /usr/bin/awk '$1 == "'"${ipaddr_pairs[${i}]% *}"'" && $3 == "'"${ipaddr_pairs[${i}]#* }"'" { print $2,$4 }' | \ /usr/bin/sort -bu) #echo "field 1: ${ipaddr_pairs[${i}]% *}" #echo "field 2: ${ipaddr_pairs[${i}]#* }" #echo "bytesum: ${bytesum}" #echo "proto: ${proto//[[:cntrl:]]/, }" #echo "rule: ${rule//[[:cntrl:]]/, }" #echo "ports: ${ports//[[:cntrl:]]/, }" # byte #printf "\e[1mbytes\e[m: %-20s %-10s %-40s \e[1mrules\e[m: %-25s \e[1mports\e[m: %-30s\n" \ #"${bytesum}" "${proto//[[:cntrl:]]/, }" "${ipaddr_pairs[${i}]% *} :: ${ipaddr_pairs[${i}]#* }" \ #"${rule//[[:cntrl:]]/, }" "${ports//[[:cntrl:]]/, }" # mega byte printf "\e[1mmbytes\e[m: %-20.6f %-10s %-40s \e[1mrules\e[m: %-25s \e[1mports\e[m: %-30s\n" \ "${bytesum}" "${proto//[[:cntrl:]]/, }" "${ipaddr_pairs[${i}]% *} :: ${ipaddr_pairs[${i}]#* }" \ "${rule//[[:cntrl:]]/, }" "${ports//[[:cntrl:]]/, }" done | /usr/bin/sort -rn -k 2,2 export IFS=${OIFS} return 0 } # usage: # ruletraffic [rulenum] # ruletraffic [rulenum1] [rulenum2] [rulenum3] ... ruletraffic 5200 ruletraffic 5200 12700 7100 deny_rules="$(/usr/bin/sudo /sbin/ipfw show | /usr/bin/awk '/deny/ {printf $1" "}')" echo $deny_rules ruletraffic $deny_rules #------------------------------- /usr/sbin/netstat -n -ibd /usr/bin/sudo /usr/sbin/tcpdump -vvv -ni en0 not ip
Further information:
- IPFWstats
- ipfwsnmp
- ipfwsnmp (patched)
- ipfw counters (field 3)
- Multi Router Traffic Grapher
- cricket
